How secure is HTTP_ORIGIN?

前端未结

关注

 6  1215

广开言路 2020-11-30 00:28

I want to find out whether an incoming HTTP_REQUEST call from a third party website is coming from the list of domains that I defined.

I know that HTTP_REFERER can b

6条回答

清歌不尽 (楼主)

2020-11-30 01:25

Upgraded:

function isOriginAllowed($incomingOrigin, $allowOrigin)
{
    $pattern = '/^http:\/\/([\w_-]+\.)*' . $allowOrigin . '$/';

    $allow = preg_match($pattern, $incomingOrigin);
    if ($allow)
    {
        return true;
    }
    else
    {
        return false;
    }
}

$incomingOrigin = array_key_exists('HTTP_ORIGIN', $_SERVER) ? $_SERVER['HTTP_ORIGIN'] : NULL;
    $allowOrigin    = $_SERVER['HTTP_HOST'];

    if ($incomingOrigin !== null && isOriginAllowed($incomingOrigin, $allowOrigin))
    {
        exit("CSRF protection in POST request: detected invalid Origin header: " . $incomingOrigin);
    }

Example:

http:// media.mydomain.com TRUE
http:// offline.mydomain.com TRUE
http:// domen1.mydomain.com TRUE
http:// domen_1.mydomain.com TRUE
http:// domen-1.mydomain.com TRUE
http:// ololomydomain.com FALSE
http:// mydomain.com TRUE
http:// pro.mydomain.com TRUE
http:// super.pro.mydomain.com TRUE
http:// super.pro.fakemydomain.com FALSE
http:// pro.fakemydomain.com FALSE

0 讨论(0)

查看其它6个回答